我们正在将 Linux 机器集成到我们的 Active Directory 基础架构中。它运行良好,用户使用他们的 AD 凭据登录,并通过 PAM-mount 访问 cifs-network-shares。但是,如果我们运行一些访问 cifs 资源的冗长脚本,Kerberos 票证就会超时
OSError: [Errno 126] Required key not available:
我认为我们已经尝试在 sssd 配置中避免这种情况(我们使用的是 Ubuntu 22.04):
[sssd]
domains = xxx.local
config_file_version = 2
services = nss, pam
[domain/xxx.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = XXX.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
override_homedir = /home/%u
ad_domain = xxx.local
simple_allow_users = [email protected]
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = simple
auto_private_groups = true
krb5_renewable_lifetime = 1d
krb5_renew_interval = 1h
klist 显示的是:
Ticket cache: FILE:/tmp/krb5cc_1324623095_R1z9ly
Default principal: [email protected]
Valid starting Expires Service principal
09/18/2022 17:30:15 09/19/2022 03:30:15 krbtgt/[email protected]
renew until 09/19/2022 17:30:10
09/18/2022 17:37:50 09/19/2022 03:30:15 cifs/[email protected]
renew until 09/19/2022 17:30:10
我错过了什么?